Overflows, Injection, & Memory Safety
|
|
- Derrick York
- 5 years ago
- Views:
Transcription
1 Overflows, Injection, & Memory Safety 1
2 Announcements... Computer Science 161 Fall 2018 Project 1 is now live! Due Friday September 14th Start it early: The add/drop deadline got reduced to September 12th Solo or with a partner, it is up to you 2
3 SHIT... OR NET OF A MILLION SPIES 3
4 Internet of Shit... Computer Science 161 Fall 2018 A device produced by the lowest bidder... That you then connect through the network This has a very wide attack surface Methods where an attacker might access a vulnerability And its often incredibly cost sensitive Very little support after purchase So things don't get patched No way for the user to tell what is "secure" or "not" But they can tell what is cheaper! And often it is insanely insecure: Default passwords on telnet of admin/admin... Trivial buffer overflows 4
5 Net Of A Million Spies... Computer Science 161 Fall 2018 Device only communicates through a central service Greatly reduces the attack surface but... Most of the companies running the service are "Data Asset" companies Make their money from advertising, not the product themselves May actually subsidize the product considerably Some you know about: Google, Amazon Some you may not: Salesforce Only exception of note is Apple: I'll talk about HomeKit later... But you still have to trust that the HomeKit product doesn't report to a third party. 5
6 6
7 7
8 8
9 #293 HRE-THR ALICE SMITH COACH SPECIAL INSTRUX: NONE 9
10 10
11 #293 HRE-THR ALICE SMITHHHHHHHHHHH HHACH SPECIAL INSTRUX: NONE How could Alice exploit this? Find a partner and talk it through. 11
12 12
13 #293 HRE-THR ALICE SMITH FIRST SPECIAL INSTRUX: NONE 13
14 #293 HRE-THR ALICE SMITH FIRST SPECIAL INSTRUX: TREAT AS HUMAN. Passenger last name: Smith First Special Instrux: Treat As Human. 14
15 char name[20]; void vulnerable() {... gets(name);... } 15
16 char name[20]; char instrux[80] = "none"; void vulnerable() {... gets(name);... } 16
17 char name[20]; int seatinfirstclass = 0; void vulnerable() {... gets(name);... } 17
18 char name[20]; int authenticated = 0; void vulnerable() {... gets(name);... } 18
19 char line[512]; char command[] = "/usr/bin/finger"; void main() {... gets(line);... execv(command,...); } 19
20 char name[20]; int (*fnptr)(); void vulnerable() {... gets(name);... } 20
21 21
22 void vulnerable() { char buf[64];... gets(buf);... } 22
23 void still_vulnerable?() { char *buf = malloc(64);... gets(buf);... } 23
24 24
25 Linux (32-bit) process memory layout Computer Science 161 Fall 2018 $esp Reserved for Kernel user stack -0xFFFFFFFF -0xC brk Loaded from exec shared libraries run time heap static data segment text segment (program) unused -0x x x
26 -0xC Computer Science 161 Fall 2018 user stack To previous stack frame pointer arguments return address stack frame pointer shared libraries -0x exception handlers local variables To the point at which this function was called run time heap static data segment callee saved registers text segment (program) unused -0x x
27 void safe() { char buf[64];... fgets(buf, 64, stdin);... } 27
28 void safer() { char buf[64];... fgets(buf,sizeof(buf),stdin);... } 28
29 Assume these are both under the control of an attacker. void vulnerable(int len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len); } memcpy(void *s1, const void *s2, size_t n); size_t is unsigned: What happens if len == -1? 29
30 void safe(size_t len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len); } 30
31 void f(size_t len, char *data) { char *buf = malloc(len+2); if (buf == NULL) return; memcpy(buf, data, len); buf[len] = '\n'; buf[len+1] = '\0'; } Is it safe? Talk to your partner. Vulnerable! If len = 0xffffffff, allocates only 1 byte 31
32 32
33 void vulnerable() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf(buf); } 33
34 printf("you scored %d\n", score); 34
35 s f p Computer Science 161 Fall 2018 p r i n t f ( you scored %d\ n, s c o r e ) ; p r i n t f ( ) score 0x r i p s f p \ 0 \ n d % d e r o c s u o y 0x
36 printf("a %s costs $%d\n", item, price); 36
37 s f p Computer Science 161 Fall 2018 p r i n t f (" a %s c o s t s $%d\ n ", i t e m, p r i c e ) ; p r i n t f ( ) p r i c e item 0x r i p s f p \ 0 \ n d % $ s t s o c s % a 0x
38 Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); Format argument is missing! 38
39 s f p Computer Science 161 Fall 2018 p r i n t f ( 100% dude! ) ; p r i n t f ( )??? 0x r i p s f p \ 0! e d u d % x
40 More Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); prints value 4 bytes above retaddr as integer printf("100% sir!"); prints bytes pointed to by that stack entry up through first NUL printf("%d %d %d %d..."); prints series of stack entries as integers printf("%d %s"); prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke m!"); What does the %n format do?? 40
41 %n writes the number of characters printed so far into the corresponding format argument. int report_cost(int item_num, int price) { int colon_offset; printf("item %d:%n $%d\n", item_num, &colon_offset, price); return colon_offset; } report_cost(3, 22) prints "item 3: $22" and returns the value 7 report_cost(987, 5) prints "item 987: $5" and returns the value 9 41
42 Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); prints value 4 bytes above retaddr as integer printf("100% sir!"); prints bytes pointed to by that stack entry up through first NUL printf("%d %d %d %d..."); prints series of stack entries as integers printf("%d %s"); prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke m!"); writes the value 3 to the address pointed to by stack entry 42
43 void safe() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf("%s", buf); } 43
44 And Now: Lets Walk Through A Stack Overflow Computer Science 161 Fall 2018 Idea: We override a buffer on the stack... In the buffer we place some code of our choosing "Shellcode" Override the return address to point to code of our choosing Lets step through the process on an x
CS 161: Computer Security
CS 161: Computer Security http://inst.eecs.berkeley.edu/~cs161/ January 16, 2017 ROOM FIRE CODE Prof. Raluca Ada Popa And a team of a talented TAs Head TAs: Keyhan and Won and talented readers Jianan Lu
More informationMEMORY SAFETY ATTACKS & DEFENSES
MEMORY SAFETY ATTACKS & DEFENSES CMSC 414 FEB 06 2018 void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); void safe() { char buf[80]; fgets(buf,
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationMemory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationSoftware Security; Common Implementation Flaws
CS 334 Computer Security Fall 2008 Prof. Szajda Software Security; Common Implementation Flaws The purpose of the next few lectures is to teach you about software security. Even if we ve got the perfect
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationCSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community
CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community http://csc.cs.rit.edu History and Evolution of Programming Languages 1. Explain the relationship between machine
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationBrave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World
Brave New 64-Bit World An MWR InfoSecurity Whitepaper 2 nd June 2010 2010-06-02 Page 1 of 12 Abstract Abstract Memory requirements on server and desktop systems have risen considerably over the past few
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationUMSSIA LECTURE I: SOFTWARE SECURITY
UMSSIA LECTURE I: SOFTWARE SECURITY THINKING LIKE AN ADVERSARY SECURITY ASSESSMENT Confidentiality? Availability? Dependability? Security by Obscurity: a system that is only secure if the adversary doesn
More information(Early) Memory Corruption Attacks
(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security 1/24 Memory safety Attacks and Defenses In the first few lectures we will be looking at software security problems associated with the software implementation.
More informationSoftware Security: Misc and Principles
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Misc and Principles Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationRequired reading: StackGuard: Simple Stack Smash Protection for GCC
Continuing with Software Security Writing & testing for Secure Code Required reading: StackGuard: Simple Stack Smash Protection for GCC Optional reading: Basic Integer Overflows Exploiting Format String
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationSmartphone (in) Security
Smartphone (in) Security Smartphones (in)security Nicolas Economou and Alfredo Ortega October 6, 2008 In this talk: 1. Introduction 2. Smartphone Security overview 3. Explotation and shellcodes for both
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationCYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security
CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 Secure Coding String management Pointer Subterfuge
More informationCSc 466/566. Computer Security. 20 : Operating Systems Application Security
1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More information2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.
This lecture: [Seacord]: Chapter 5 Readings CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 2 String management Pointer Subterfuge Secure
More information2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 String management Pointer Subterfuge Secure
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationTopics in Software Security Vulnerability
Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes
More informationSystems Programming and Computer Architecture ( )
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 1 4: Pointers Computer Architecture and Systems Programming
More information3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually
University of Illinois at Urbana-Champaign Dept. of Electrical and Computer Engineering ECE 220: Computer Systems & Programming Structured Data in C Sometimes, Knowing Which Thing is Enough In MP6, we
More informationThis Document describes the API provided by the DVB-Multicast-Client library
DVB-Multicast-Client API-Specification Date: 17.07.2009 Version: 2.00 Author: Deti Fliegl This Document describes the API provided by the DVB-Multicast-Client library Receiver API Module
More informationBuffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers
dministrative Buffer Overflows COMP 435 Fall 2017 Prof. Cynthia Sturton Exam Mon., Nov. 6 Covers material since last exam, including today s lecture Review in OH Fri., Nov. 3, 10-12 FB 354 Poster group
More informationAnnouncements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1
Announcements assign due tonight No late submissions Labs start this week Very helpful for assign1 Goals for Today Pointer operators Allocating memory in the heap malloc and free Arrays and pointer arithmetic
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGİN Slides adapted from Bryant & O Hallaron s slides 1 Today Memory Layout Buffer Overflow
More information"Secure" Coding Practices Nicholas Weaver
"Secure" Coding Practices based on David Wagner s slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 2 3 This is a Remarkably Typical C Problem Computer Science 161 Fall 2016 if ((options
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationPage 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example
CS 194-1 (CS 161) Computer Security Lecture 13 Software security; Common implementation flaws; Principles October 16, 2006 Prof. Anthony D. Joseph http://cs161.org/ Goals for Today Next 3 lectures are
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationJared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview
Jared DeMott Crucial Security, Inc. Black Hat 2008 Special thanks to ISE for smoking me with this test once upon an interview Why? To make software better, or to hack software How? With automated tools
More informationSecure C Coding...yeah right. Andrew Zonenberg Alex Radocea
Secure C Coding...yeah right Andrew Zonenberg Alex Radocea Agenda Some Quick Review Data Representation Pointer Arithmetic Memory Management Basic C Vulnerabilities Memory Corruption Ignoring Return values
More informationC strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C
C strings (Reek, Ch. 9) 1 Review of strings Sequence of zero or more characters, terminated by NUL (literally, the integer value 0) NUL terminates a string, but isn t part of it important for strlen()
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationLecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago
Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe functions in libc strcpy strcat gets scanf family (fscanf, sscanf, etc.) (rare) printffamily (more about these later)
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationThe Edward S. Rogers Sr. Department of Electrical and Computer Engineering
ECE 468S Computer Security The Edward S. Rogers Sr. Department of Electrical and Computer Engineering Mid-term Examination, March 2006 Name Student # Answer all questions. Write your answers on the exam
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationSo$ware Security (II): Buffer- overflow Defenses
Computer Security Course. Dawn Song So$ware Security (II): Buffer- overflow Defenses Dawn Song 1 PrevenBng hijacking afacks Fix bugs: Audit so$ware Automated tools: Coverity, Prefast/Prefix, ForBfy Rewrite
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationIAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE
IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 1 A vulnerable program #include int main() { void *p = malloc(100);
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationtypedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }
Dawn Song Fall 2012 CS 161 Computer Security Practice Questions 1. (6 points) Control Hijacking Indicate whether the statement is always valid. Indicate true or false, and give a one sentence explanation.
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationProgramming refresher and intro to C programming
Applied mechatronics Programming refresher and intro to C programming Sven Gestegård Robertz sven.robertz@cs.lth.se Department of Computer Science, Lund University 2018 Outline 1 C programming intro 2
More informationC and C++: vulnerabilities, exploits and countermeasures
C and C++: vulnerabilities, exploits and countermeasures Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be Introduction C/C++ programs:
More informationFinal Exam, Spring 2012 Date: May 14th, 2012
Full Name: Final Exam, Spring 2012 Date: May 14th, 2012 Instructions: This final exam takes 1 hour and 30 minutes. Read through all the problemsandcompletetheeasy ones first. This exam is OPEN BOOK. You
More informationOS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2
OS COMPONENTS OVERVIEW OF UNIX FILE I/O CS124 Operating Systems Fall 2017-2018, Lecture 2 2 Operating System Components (1) Common components of operating systems: Users: Want to solve problems by using
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationCS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013
CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationCSCI 237 Sample Final Exam
Problem 1. (12 points): Multiple choice. Write the correct answer for each question in the following table: 1. What kind of process can be reaped? (a) Exited (b) Running (c) Stopped (d) Both (a) and (c)
More informationCS360 Midterm 1 - February 21, James S. Plank. Put all answers on the answer sheet. In all of these questions, please assume the following:
CS360 Midterm 1 - February 21, 2017 - James S. Plank Put all answers on the answer sheet. In all of these questions, please assume the following: Pointers and longs are 4 bytes. The machine is little endian
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationCS 361S - Network Security and Privacy Spring Homework #2
CS 361S - Network Security and Privacy Spring 2014 Homework #2 Due: 11am CDT (in class), April 17, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating (e.g.,
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Homework 1 Due: Wednesday, February 9, at 9:59pm Instructions. Submit your solution by Wednesday, February 9, at 9:59pm, in the drop box labelled CS161 in 283
More informationCS 261 Fall C Introduction. Variables, Memory Model, Pointers, and Debugging. Mike Lam, Professor
CS 261 Fall 2017 Mike Lam, Professor C Introduction Variables, Memory Model, Pointers, and Debugging The C Language Systems language originally developed for Unix Imperative, compiled language with static
More informationBuffer overflows. Specific topics:
Buffer overflows Buffer overflows are possible because C does not check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack Specific topics: Address
More informationCS161 Midterm 1 Review
CS161 Midterm 1 Review Midterm 1: March 4, 18:3020:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about
More informationMemory Allocation. General Questions
General Questions 1 Memory Allocation 1. Which header file should be included to use functions like malloc() and calloc()? A. memory.h B. stdlib.h C. string.h D. dos.h 2. What function should be used to
More informationThis exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.
Computer Science 5271 Fall 2015 Midterm exam October 19th, 2015 Time Limit: 75 minutes, 4:00pm-5:15pm This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start,
More informationSoftware Security: Buffer Overflow Attacks and Beyond
CSE 484 / CSE M 584 (Autumn 2011) Software Security: Buffer Overflow Attacks and Beyond Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov,
More informationEURECOM 6/2/2012 SYSTEM SECURITY Σ
EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 5 5 50 1 2 3 4 5 6 7 8 9 10 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationDAY 3. CS3600, Northeastern University. Alan Mislove
C BOOTCAMP DAY 3 CS3600, Northeastern University Slides adapted from Anandha Gopalan s CS132 course at Univ. of Pittsburgh and Pascal Meunier s course at Purdue Memory management 2 Memory management Two
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More information